Millions of passwords at risk with Heartbleed bug

A flaw in the security tool that is used by two-thirds of web servers has potentially exposed passwords, banking information and other sensitive material to hackers.

Comment

By Natalie Crofts

Journal Star

By Natalie Crofts

Posted Apr. 9, 2014 at 12:01 AM
Updated Apr 9, 2014 at 10:34 AM

By Natalie Crofts

Posted Apr. 9, 2014 at 12:01 AM
Updated Apr 9, 2014 at 10:34 AM

A flaw in the security tool that is used by two-thirds of web servers has potentially exposed passwords, banking information and other sensitive material to hackers, security engineers announced Monday.
The vulnerability in OpenSSL, which is used by a vast majority of websites to encrypt sensitive information, has existed for two years but was recently discovered by security engineers at Codenomicon and Neel Mehta of Google Security, according to an FAQ webpage, the team created about the bug. They named the threat the "Heartbleed" bug.
"It's a serious bug, in that it doesn't leave any trace," Codenomicon chief executive David Chartier told the New York Times. "Bad guys can access the memory on a machine and take encryption keys, usernames, passwords, valuable intellectual property, and there's no trace they've been there."
Even though there have been no reported security breaches of hackers using the bug, researchers said any website that has used OpenSSL should be considered compromised, since there would be no record of anyone who accessed information using Heartbleed.
Major websites including Google, Facebook and Amazon may have been vulnerable to the bug in the past, but have since announced they have taken action to protect information on their sites. Yahoo's services, including Yahoo Mail, were open for infiltration with the bug, and at least one security researcher claimed they were able to gain access to a list of 200 Yahoo usernames and passwords using the bug in only five minutes, according to CNET. Yahoo announced the problem had been fixed later Tuesday.
So what should Internet users do to protect themselves from the Heartbleed bug? Security experts advised changing passwords, but said people should wait until they receive confirmation from the website to let them know the problem has been resolved.
If users change their password before a website has protected itself against the flaw and installed the fixed version of OpenSSL, they may just end up exposing a new password to hackers, independent computer security consultant Mark Seiden told the New York Times.
"There's nothing users can do until the web services have made their sites secure," Seiden said.
Some websites, like Tumblr, have sent announcements to its users after the bug was fixed. The company recommended taking security precautions once users know a website has been made secure again.
"This still means that the little lock icon (HTTPS) we all trusted to keep our passwords, personal emails and credit cards safe was actually making all that private information accessible to anyone who knew about the exploit," a statement from the company reads. "This might be a good day to call in sick and take some time to change your passwords everywhere - especially your high-security services, like email, file storage and banking, which may have been compromised by this bug."
Those curious about which websites are secure can use a free Heartbleed test, which was designed to check the current status of different Web servers to see if they are vulnerable to the bug.
Online security experts have long advocated creating unique passwords for different websites and then routinely changing them for increased protection of sensitive information.
Easy ways to create a strong password include replacing correctly spelled words with misspellings, making sure passwords are at least 8 characters long and mixing letters, numbers and symbols, according to Business Insider.
Seiden also suggested users could create a series of strong passwords to be used on different sites by using a variations on a core password.%3Cimg%20src%3D%22http%3A//beacon.deseretconnect.com/beacon.gif%3Fcid%3D160930%26pid%3D46%22%20/%3E